[OCPNODE-553] Migrate ICSP to ImageDigest,TagMirrorSet CRDs

[QiWang19]

Migrate ICSP to ImageDigest,TagMirrorSet.
MCO has handled the object conversoin from icsp to ImageDiegstMirrorSet objects.

Epic: https://issues.redhat.com/browse/OCPNODE-521
Epic: https://issues.redhat.com/browse/OCPNODE-810

Signed-off-by: Qi Wang [email protected]

[mtrmac]

Just an extremely brief skim for now, not really a review.

Let’s start with the ICSP discussion.

[mtrmac]

At a first glance it seems to me that it should be possible to share more of the logic, but I haven’t read the code that carefully. (I do appreciate there’s a topoSortRepos now.)

Maybe an object that maintains disjointSets/mirrorBlockSource, with methods very vaguely like addMirrorSet(source, neverContactSource, mirrors) and mergedMirrorSets() []struct{source, neverContactSource, mirrors}? That way the two functions here would deal only with the data conversion with no logic at all.

Or maybe, instead of mergedMirrorSets, a sourceList() []string and updateRegistry(source, *Registry), to share more of the code in EditRegistriesConfig that just consumes the data from mergedMirrorSets.

[QiWang19]

@mtrmac PTAL. More code got shared.

[nee1esh]

/retest

[QiWang19]

/retest

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-ci]

@QiWang19: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[QiWang19]

@mtrmac could you review it? ICSP object migration should be done in MCO, this PR update uses new APIs.

[rphillips]

/remove-lifecycle rotten

[rphillips]

The pointer indirection is likely not needed. Can we refactor this by removing the pointer indirection such that the functions do not take a pointer, like:

disjointSets: map[string]*[]*[]apicfgv1.ImageMirror{},

and

func (sets *mirrorSets) addMirrorSets(source string, mirrorSourcePolicy apicfgv1.MirrorSourcePolicy, mirrors *[]apicfgv1.ImageMirror)

The mirrors attribute probably doesn't need to be a pointer. Likewise for the other functions in the file.

[mtrmac]

@mtrmac could you review it? ICSP object migration should be done in MCO, this PR update uses new APIs.

Is that viable?

• https://github.com/openshift/enhancements/pull/873/files still says the v1alpha1 API will remain. So external users are going to be creating them over the lifetime of the cluster.
• At the very least https://github.com/mtrmac/openshift-apiserver/blob/master/pkg/image/apiserver/registry/imagestreamimport/rest.go#L217-L221 calls EditRegistries (and per the IDMS/ITMS enhancement, IIRC quite a few more repositories need to do so in the future). So is the idea that MCO is going to immediately convert, and delete, every created ICSP , and API consumers can then only deal with the new types? That seems fine for the controllers…
• … but what about users? They are going to create a ICSP and just not see it in the API after a few seconds. Is that reasonable?

(It might well be fine. It’s just not what I vaguely remember the earlier migration conversations to be like, and I just thought I’d ask before we commit to that direction.)

[mtrmac]

So is the idea that MCO is going to immediately convert, and delete, every created ICSP , and API consumers can then only deal with the new types?

I’m sorry, actually reading the code, MCO is keeping the ICSP resources around, so they are still available to old consumers.

That seems perfect to me. Back to actually reading this PR…

[mtrmac]

Two API semantics questions

And I’d like to push a bit further on the code sharing: The need to propagate blocked/insecure to sub-scopes is somewhat non-obvious, and having that triplicated feels a bit risky to me.

[mtrmac]

rdm refers to RepositoryDigestMirrors, so this should probably be renamed. mirrorsContainARealMirror? mirrorsContainSomeOtherThan?

[mtrmac]

Suggested change

	// sourceList collects the mirror sources and sort them in increasing order
	// sourceList collects the mirror sources and returns them sorted in increasing order

to be a bit clearer that this this does not affect the mirrorSets object.

[mtrmac]

Is it possible to have such a no-mirror object with NeverContactSource? If so, should we still set mirrorBlockSource?

(I’m most tempted to say that such an object is invalid and should be rejected, I’m not sure if it is practical. If it isn’t, both setting mirrorBlockSource and the current approach is, I guess, acceptable, but with the current approach, a extending the comment that yes, we ignore mirrorSourcePolicy and that’s intentional, would be useful.)

[mtrmac]

I don’t think we need to return correctly-typed Image{Tag,Digest}Mirrors from the pair of these functions — so we could define a local type mergedMirrorsItem struct { source, mirrors, mirrorSourcePolicy } and all of this loop could be also shared.

[mtrmac]

This is not just topological sort. Maybe {shared,raw}MergedMirrors? (Or, alternatively, if the loop calling this can be made shared, it can be inlined back. OTOH having this code as a separate function might be a better granularity for unit testing.)

[mtrmac]

Non-blocking: If set is not used other than to read one of its fields, it doesn’t need to be constructed.

[mtrmac]

Absolutely non-blocking: assert.NoError would be a better match here.

[mtrmac]

insecure, blocked, want are unused, so that can be dropped.

Non-blocking: This test could be shorter and somewhat easier to fit on the screen with:

• Only including one set of mirrors instead of three in every item.
• Making the test data idmsNonempty, itmsNonempty, icspNonempty bool, and letting the testing loop provide data or an empty array.

[mtrmac]

This test does not set anything to insecure nor blocked, so using the insecure.com/blocked.com domains is a bit unexpected.

What is being tested here? Just a smoke-test of correctly creating tag entries? Two entries would be enough for that.

[mtrmac]

The failing tests do seem to suggest that updating to Go ≥ 1.18 is required to be able to consume the new API module.

[mtrmac]

The failing tests do seem to suggest that updating to Go ≥ 1.18 is required to be able to consume the new API module.

Ah, that’s being handled in openshift/release#31916 .

[QiWang19]

@mtrmac PTAL

[mtrmac]

Thanks!

Implementation LGTM, just a few cleanup suggestions. Looking at the tests, I’m unsure why various tests were just dropped.

[mtrmac]

This now has only one caller and it can be inlined back.

[mtrmac]

Suggested change

	func (sets *mirrorSets) addMirrorSets(source string, mirrorSourcePolicy apicfgv1.MirrorSourcePolicy, mirrors []apicfgv1.ImageMirror) {
	func (sets *mirrorSets) addMirrorSet(source string, mirrorSourcePolicy apicfgv1.MirrorSourcePolicy, mirrors []apicfgv1.ImageMirror) {

sets is multiple sets, this is adding a single one.

[mtrmac]

Absolutely non-blocking: This copy is probably avoidable, perhaps with some more casts in the merging implementation.

(It’s a bit weird for ICSP to do a copy to convert to ImageMirror, only for this code to convert back to strings.)

But the cost is trivial either way, I’m not worried about it at all.

[mtrmac]

This doesn’t need to return source, it’s just the caller-supplied value.

[mtrmac]

Reading the full context, (contrary to my earlier suggestion — my mistake) mergedMirrorSet is probably the right name. That’s what it is (unlike “item”, which says nothing), and both functions like mergedICSPMirrorSets and variables like tagMirrorSets use that naming.

[mtrmac]

Please do this in the data.

[mtrmac]

Absolutely non-blocking: require.NoError(t, err) is shorter. This works just fine — and I realize the original was this way as well.

[mtrmac]

This comment seems inapplicable.

[mtrmac]

This comment seems inapplicable.

[mtrmac]

The following test cases were dropped. Is there a specific reason for that? If not, please add them back.

[QiWang19]

Added back. Accidently removed during the last code cleanup.

[QiWang19]

@mtrmac PTAL.

[mtrmac]

One very last thing - the tc.name == … condition.

LGTM otherwise.

[mtrmac]

Non-blocking: The string() cast can now be dropped.

[mtrmac]

Absolutely non-blocking:

for _, set := range … { /* use set */ }

would be one variable and one line shorter. (In all three instances.)

[mtrmac]

(Absolutely non-blocking: drop this line? I don’t think it separates “paragraphs” / individual ideas when placed here.)

[mtrmac]

Please make this driven by a real data field.

Either here,

if tc.requiresMirrorSourcePolicy { t.Skip() }

(and set the tc.requiresMirrorSourcePolicy field on the test case), or (preferably?) make this fully automatic below, with something like

if item.mirrorSourcePolicy != "" {
    t.Skip("…")
}

[openshift-ci]

@QiWang19: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[mtrmac]

/approve

[mtrmac]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mtrmac, QiWang19

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [mtrmac]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mtrmac]

Thanks!